Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Actually, can someone explain to me what the real difference is between "master mode" and AdHoc or mesh networks?

Why is it that only a few chipsets can "do" proper full-blown "master mode" (ie be an Access Point), and yet other chipsets can be used as AdHoc or mesh? I mean - what's the fundamental difference? I've been through this with Linux systems and can't understand why I can't just grab any WLAN card, bring up the interface and whack a DHCP server on it - why doesn't that work for them all?

"It wasn't all that long ago that Microsoft was talking up the Virtual WiFi feature developed by Microsoft Research and set for inclusion in Windows 7, but something got lost along the road to release day, and the functionality never officially made it into the OS. As you might expect with anything as big and complicated as an operating system though, some of that code did make it into the final release, and there was apparently enough of it for the folks at Nomadio to exploit into a full fledged feature. That's now become Connectify, a free application from the company that effectively turns any Windows 7 computer into a virtual WiFi hotspot — letting you, for instance, wirelessly tether a number of devices to your laptop at location where only an Ethernet jack is available, or even tether a number of laptops together at a coffee shop that charges for WiFi."

You know, I always wondered why/. never points that out in TFA, because you would think that would be pretty relevant to the discussion. company with vested interest in selling you solution A says product B is insecure, therefor you need to buy solution A.

From reading TFA (I know, but I got bored) it sounds like pretty much anything that connects to anything is gonna be labeled insecure by this guy, as it gives him a reason to sell you solution A. But pretty much any business should have figured out by now

But any technology can be exploited if used incorrectly or just left unlocked for anyone to use. It will always have to be locked down by the IT department before deployment if they don't want to be pwned and are actually worth the money they are being paid. How exactly is this news again?

Because most people using their laptop in a coffee shop and setting it up as a wifi hotspot are not going to be business users with a large corporate IT department behind them (mainly because such users will have had it di

the number of businesses who do not have a large corporate IT department (or a competent one)

So that's most of them then!

That's one of the things that people say is good about Windows - that it's so easy, anyone can use it.

They may say that - both they are wrong.

Keeping Windows secure (locking stuff down, separating user and admin accounts, installing and updating anti-malware, etc.) is too hard for most home users I know. Why do you think IE has a porn browing mode? Because the whole family shares a single login.

Installing software on Windows is difficult (compared to Linux as long as its in the repos, anyway)

The Windows UI is very familiar because it is widely used, but it is not actually particu

Using Windows is very easy so long as you don't expect to install it with decent hardware support OOTB or with decent security OOTB. It's so easy to use that within an hour online, it's often being used by someone the owner never intended.;-)

While all that you say is true, from what I understand (and I could be wrong) Windows doesn't have this activated by default, you have to turn it on. Any Linux install has the capacity to be an unsecured server, just hanging out there in the breeze for anybody to infect. We don't say that is a bad thing though, do we?

MSFT added a feature. Now this feature, which could be very handy for those that need to share files or want to set up a quick gaming LAN, can be misused and cause security problems. That a handy OS feature can be misused and cause a security problem applies to just about every single program that can access the net. As for corporations? Well if they pay bottom dollar and and only hire the cheapest most underpaid flunky they can get to save a few buck, and they get pwned, I should care....why exactly? Good things cost good money, the same goes for people. if a company is so badly run that this single feature can completely turn their network security into a house of cards I think they have bigger problems, don't you agree?

In the end the whole TFA felt to me like creating a bogeyman for them to defeat with their super neato security product. But you and I know security doesn't come in a can. it isn't some product you can just slap on the network and all is well. Security is an ongoing process, that must be planned, implemented, and adapt with changing conditions. And that all needs competent staff to implement correctly. in the end companies that go for bandaids like the TFAs product (which may be good for all I know) will end up failing miserably when some fool on their network does something stupid. This feature won't kill any networks, piss poor admins and security policies that don't exist will take care of that all by themselves, thanks.

Well I can tell you why I'm NOT sad about this: It nearly always comes down to greed on the part of PHBs. You wouldn't expect to hire a Master's degree on minimum wage, would you? Developing good IT skills takes work, dedication, lifelong desire to learn, and a willingness to adapt to changing conditions. Yet IT seems to be the ONLY field where they act like you should be grateful to even have a job, forget getting paid well!

So no I don't feel sad about it, because I have seen companies turn away friends

In both activating that requires admin/root access, or giving admin access to a program that do that for you.

That program could be a trojan. Still, you have to run that trojan as admin. Now, running an untrusted binary in linux, as admin, even if is for your architecture, seems to require a bit more complex effort in the social engineering side than in Windows to make you run it. And don't know how many windows owners do their normal use of their machines

True. Incompetent users are the problem irrespective of platform. Never forget - computers do what you tell them to do, not what you meant them to do

The Anti-Microsoft bias is retarded, but it does highlight a problem. A problem, mind you, which has existed since Microsoft introduced Internet Connection Sharing in, what, Windows 98? Or was it from Windows 95 OSR2? The fix is to use IPSEC with per-machine certificates (ow! administration nightmare) to a gateway device for all communications. You don't need to encrypt, only to authenticate the host (AH, no ESP.) Perhaps you could also lock it down by MAC at the same time, which is only slightly useful wit

Actually, it should be "Linux has had feature W since 20VV" since its about Windows' and Linux' capabilities to work as a WiFi access point which, as TFS states, is actually a pretty useful feature in many scenarios. The only problem with Windows' implementation is that its presumably(*) turned on by default, which can be problematic in some enviroments from a security standpoint.

(*) "presumably" because TFA is awfully thin on details, and is fairly unapologetic about being an ad for some security company's

I know you were joking, but you just described our Monday morning routine with these [sunriseimaging.com] (Windows based) film scanners*, which was gleaned after careful work with the current engineers working for Sunrise.

* This is not an ad, it is a warning, they are a POS, IMHO of using them for 3 years.

Ghost ridin' the whip! No seriously, I've been wanting to use the Linux host AP features to bring up a mischievous AP that does man-in-the-middle attacks. I'd be connected to some open wifi somewhere, and someone would connect to my netbook and also see an open access point. I'd then give them the upside-downternet: http://www.ex-parrot.com/pete/upside-down-ternet.html [ex-parrot.com]

Note: I was deliberately playing down the consequences of that scenario. You could "own" someone pretty thoroughly if that someone was uninformed enough (which 90% of people are) to send sensitive stuff over the network unencrypted. Which is why I use ssh tunnels to a trusted server whenever I'm on an open AP.

SSLStrip does nothing to disable SSL. If you see the video posted in your link - the guy types "http://gmail.com" and instead of being sent to "https://www.google.com/accounts/ServiceLogin?" to login, he is being redirected to "http://www.google.com/accounts/ServiceLogin?". That is SSL is still safe, provided you take notice of whether you are on an encrypted page or not.

The TV show the Real Hustle showed this run as a scam to harvest credit card details. A scammer with a laptop sets up as a fake access point which serves up fake payment screen to anyone who connects to that point. Most of the people connecting to the point assume that the payment screen is legitimate and enter their details. You might not catch the truly paranoid or alert, but there's still plenty of people who would be fooled.

I don't participate much in the bore-a-thon dick-measuring contest called "Windows v Linux" on/. but for the record, its crap reporting to claim that Windows 7's "SoftAP" is a "rogue" which allows "ghostriding" while Linux's "802.11s mesh networking" is somehow better because it pre-dates Windows 7 when it allows the same problem which needs to be policed.

I have lots of criticisms of Windows generally and I run XP and Kubuntu, but SoftAP is a network management issue for corporate networks, not a "rogue".

Agreed, this is beyond stupid. You could do the same with XP if you like, but now its a little easier. I used to share a cellular card this way years ago. The "policing" and "lockdown" of "rogue" access points is like one click in group policy or a value in a reg key.

Quite a number. Perhaps not your average cubicle-slave but certainly those in 'client-facing roles' and those encouraged to take work home with them (read unpaid overtime). If security is lax, don't underestimate teenage children in re-enabling features on their parent's work laptop. Then there's consultant teams hired on a project basis that bring their own hardware and aren't subject to internal re-imaging of machines.

...you make decisions about how you want to configure it, you put some work into researching how it should be configured correctly, and you face the consequences of what can go wrong if you mess it up.

If you need to be nursemaided in your computer use, stick with a Mac or Windows. If you're prepared to put some effort into learning how a computer works and how to search forums and asks questions of people who are more than willing to help you out free-of-charge, then try Linux.

Yes, it's that simple... and for most people, they don't want to research all that.

And if Linux wants to be popular with those people, it's going to have to change a bit.

It's more than knowing how a computer works. The only thing you're talking about right now is software. You're not talking about having to know how a graphics card works in order to use it. You're talking about software configuration. But the problem I have with your simplistic explanation is this: for most people, a generic configurati

This is precisely the reason why I have a problem with so many people on here...

There is *NO*, repeat, *NO* war being waged by Linux to defeat Microsoft. If there was, then it would have already won several battles when it comes to its penetration into server space and into embedded devices - but in the case of servers, it has done far more damage to displacing Sun Solaris, AIX, HP-UX and other "paid for" UNIX implementations.

So there is no *desire* for Linux to be accepted, it's there as an alternative and

In general, I agree with you. The problem I have is that it seems a lot of Linux users look down their noses at Windows users, as though they are stupid and ignorant and if they REALLY were intelligent they would use Linux... because it's intelligent people that care about their computer that are interested in dealing with the issues in order to run a superior operating system.

I guess it's the "superiority complex" issue that seems to be what I take issue with. I know people that are quite happy with Wind

Rubbish. If you have an installed Linux system, what do you need to learn to do everyday tasks like web surfing or word processing? That you use "firefox" instead of "The blue E" and "OpenOffice" instead of "Office".

My time is no longer worth nothing and the last thing I want to do is spend time dicking around with a computer for everyday use. At work it costs money and at home, it's the last thing I want to do when I get home. And every time I attempt to use Linux in a desktop environment, I still have to fuck around with some piece of hardware to get it to work. Hell even when I did research this last time on wireless hardware, all the sites said it would work and the card was a couple years old. So I bought it a

I'm a telecoms consultant billed at $300 per hour, my head is not so far up my backside that I cannot find time to continually hone my skills & play about with operating systems (whether Linux, Windows, whatever) and last but not least, someone who demands as much for their time as you do probably should learn to control your language and temperament a little better.

Using Linux, you're expected to take responsibility for your computer and how it's configured. If it's borked, that's because you probably didn't research/learn as you should have and almost certainly changed something without knowing what it does or is for.

When a Windows box is borked, it's generally because MS screwed it up FOR you, before you got it, and without telling you -- if you had any interest in it working correctly in the first place (which most Windows users are willing to ass

As I'm both a Windows XP and Linux user (and I like them both for their own reasons), let me explain this to you in more detail.

Any Linux application I use holds it configuration in a text-based file somewhere on the system - either in my home directory, or globally under/etc somewhere. Whenever I want to change the configuration of an app, I can back up the old configuration just by making a copy of a text file.

So if I'm messing about with the configuration of, say, Xorg (the modern implementation of the

I've been running Linux for over 5 years, and have never had to do anything like that to get a USB drive to work.

Sure, there's some hardware that won't work under Linux because of drivers -- usually cheap-ass crap that people shouldn't be buying in the first place. Then again, my Linux system does recognise the vast majority of hardware, and doesn't need separate drivers for any of it. Hell, the first thing I do when I buy hardware for my system is throw away the Windows drivers disk(s) that came with it, a

Actually, your comment tells me that you've never used Linux - or at least not recently.

I have all manner of USB disks, webcams, drives, phones, etc. at home and use them all on dual-booting Gentoo Linux and Windows XP machines. The biggest problem I have had with USB recently (and strictly speaking it's not a USB issue) is how to get NTFS-formatted external USB disks to mount with proper permissions using the ntfs-3g user space driver.

The reason this problem came about in the first place was because Micros

This doesn't seem like any more of a problem than someone jacking in to an empty ethernet port on your network, except that a) they can do it from outside the building wirelessly and b) any special software used by the 7 user to access the network could potentially helpfully forward packets from others, but that would probably be a fault of the software not checking the origin IP on packets...

Anyways the fix is simple. Require authentication for all network resources. Windows enterprise solutions are set up like this by default and do it transparently using Windows login credentials. An intruder on your network would be unable to access anything. There is the LITTLE issue of exploits, so you can either batten down the hatches as much as you can and continually scan for suspicious network traffic, or you can try an alternate solution which may work better (a combination of both would be best):

For complete security, IT could notify all employees that use of this feature is not permitted. On corporate machines it could be disabled or removed or steps taken to block access, but you must assume users are clever enough to get it working (not to mention booting from a LiveCD bypasses every protection known, except complete Windows software compatibility. Someone did mention Linux software that did this though, and my brother's WiFi card supposedly does it too with a special included application.). IT could also compromise and allow users to use it if it is properly configured, with clear steps outlining how to check if this is the case. However either way, severe penalties (starting with being kicked off the network until you have resolved the problem) would be issued for having an open access point. IT would have to periodically stage their own "attacks" to look for such hotspots and attempt to connect, and then lock the user out of the network if they are able to access the user's machine anonymously (ie folder shares with company files) or the network.

OK so it's a long winded solution but basically: The problem isn't new, lock down systems with authentication best you can, routinely scan for hotspots and penalize users that put them up.

Disclaimer: I am not a security expert but I like to think I've picked up a few things.

You are misunderstanding the problem.
The PC running this feature becomes a router bridging their local and probably unauthenticated network with whatever secure network they are already connected to. Add network connection sharing to the mix and you have a security hole regardless of how 'locked down' the original network is.
How big a problem this is will depend on the implementation and I haven't seen it.

No, you are misunderstanding the problem. None of these features: virtual WiFi, connection sharing and bridging, are turned on by default.

The GP is exactly right. If someone wants to 'attack' your network this way, it's no different from walking in with a laptop and an extra usb wifi device. Windows 7 makes it slightly less expensive, that's all.

But still they have to authenticate against AD to access shares? Well, I guess this depends how things are configurated but I sure as hell can't access our corporate network shares without proper authentication.

Cisco Wireless (used to be airespace) and other wireless management controllers have had the ability to detect rouge networks for at least 5 years. If they see a rouge, they can attempt to use the nearest AP to connect, and see if the packets can route back to your network. (Showing you if someone plugged a linksys router into your building's wired network, or if the business next door just got wireless)

The Airespace controller even had a "feature" that was heavily discourgaed that would basically take a

Cisco's implementation is the most cumbersome and the most expensive. I don't truly know how useful it is compared to Aruba's, but I know that Aruba's works like a charm every time, and is automatic and fast.

Can you stop by and have a conversation with my HR department? The finance department seems to be stripping security out of the network under the guise of "controlling costs", yet I can't get an HR policy to make it a termination worthy offense to bypass the few controls that are left.

Yes, give cisco sh*tloads of money. It's just like the easy solution with corrosion, coat everything in gold. There are better things to do with budgets.I had an idiot bring in his own wireless access point instead of borrowing any of the spare 8 port switches and a 2 metre cable - and that idiot turned on dhcpd and took quite a few people off the network. The only real way to stop that is firewalls all over the place or firewalls built into all the switches. Effectively you tel

Some unfortunates have content filters that wouldn't let my post through otherwise, hence the asterisks - know you know why you see them sometimes.For some reason everyone missed the first sentence about switches that can do this being expensive. What would you do without to upgrade a working network with less than ideal security? Would you go without the things that make the production network productive? That IS sometimes the choice. We are talking about replacing switches worth a couple of hundred wi

I didn't RTFA, but I guess the problem is user will see an AP with the same SSID that user used to be connecting...and tricked into connecting it but that's actually a rouge one? Even without Win 7, I could do it with a $50 SOHO Wireless Router!...

The parent is right - If your network is that sensitive, please turn on Group Policy to requires IPSec encryption on both ends, and requires Proxy (say MS ISA) to go to the Internet. Then the rouge AP doesn't really matter.

Yeah, I checked connectify when it was first released as a beta. Unfortunately they force WPA security thus it is not useful for connecting other portable devices (say Nintendo DS). In addition it is not possible to make it work if you are behind a proxy.

Didn't we already go through this with Ad Hoc networks on the original version of Win XP? The 'Free Public Wifi' SSID is still around today thanks to this poorly conceived 'convenience' and it was a nightmare for anyone trying to manage a secure wireless network.
I think time will show this feature not being worth the trouble it causes.

What you attempt with 'ghost ride' is better communicated and less retarded with one of the following phrases:

* piggy-backing* covert channel* out-of-band

There's no applicable analogy with 'ghost ride' to communicate what you're trying to describe. Don't try to introduce new lingo. You might as well call it 'Dog sledding' as it has just as much in common with covert channels as 'ghost riding' does.

Seriously! That is exactly what I wanted to do a few months ago, but it seems I can't with my WiFi Link 5300. Hostap seems to be for Prism chipsets. Easily creating an AP to share files or to play with neighbors [ex-parrot.com] was one of the bonuses I expected from my switch to Ubuntu. What is going on? Is Windows now becoming the fun OS for geeks and Linux the boring Desktop for the average users?

Is the WiFi Link 5300 Intel based? A recent blog entry [blogspot.com] from Connectify indicates that there may be issues with those drivers - at least for Windows. Mind you, if Intel has outstanding issue in the Windows drivers, it's possible that it's a problem in Linux version as well.

Lacking more info, I'm going to venture a guess that yes, the 5300 the GP mentions is the Intel Pro Wireless 5300 chipset (802.11abgn, and generally pretty darn good). The Linux drivers for it are open-source, but that doesn't necessarily mean bug-free or that all features are available. It does mean you could try to get it working yourself if you want, though. I have one such chipset myself, and while I've never tried to make it act as an AP, it would be neat to be able to do so.

Yes, it's the Intel WiFi Link 5300 (in a Thinkpad), using the iwlagn driver (in Ubuntu 9.04). Not sure if it's because of the chipset, the driver or their combination, but it doesn't support master mode:

Is there an article on Network World that condemns Linux for having this ability? Well I did find this [networkworld.com] when I searched for Linux and HostAP. Don't see anything in the article mentioned that it too, could be a security risk if used incorrectly. It's not called Beware the

If this article is accurate, we'll see the beginnings of real ad-hoc mesh networks starting in 2010. This feature has the potential for allowing massive ad-hoc networks. Awesome. ISP's are going to pee themselves. Awesome.

Nah, they'll start charging by the gigabyte, so if you hook a computer up to internet and 2000 machines end up routing through it downloading Wolverine, you'll have to pay for 1.4 TB of traffic ($1400 at 1 dollar per gigabyte). Hopefully we'll get rid of ISPs entirely sooner or later, also fixing the net neutrality problem, the throttling problem and kicking the RIAA a few extra times but it'll take at least a decade.